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CLAIMS 

What is Claimed is: 

1. A method comprising: 

stalling a call to a critical operating system (OS) 

5 function; and 

determining whether said call is from a return 

instruction. 

2. The method of Claim 1 wherein said determining 
10 whether said call is from a return instruction comprises: 

looking up a value at a previous top of stack; and 
determining whether said value is equivalent to an 
address of said critical OS function. 

15 3. The method of Claim 2 wherein a determination is 

made that said call is from a return instruction when a 
determination is made that said value is equivalent to said 
address of said critical OS function. 

20 4- The method of Claim 2 wherein a determination is 

made that said call is not from a return instruction when a 
determination is made that said value is not equivalent to 
said address of said critical OS function. 

25 5 . The method of Claim 2 further comprising taking 

protective action to protect a computer system upon a 
determination that said value is equivalent to said address 
of said critical OS function. 



30 



6. The method of Claim 2 further comprising allowing 
said call to proceed upon a determination that said value is 
not equivalent to said address of said critical OS function. 



7. The method of Claim 2 wherein said previous top of 
35 stack is at address [ESP-4] . 
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8. The method of Claim 7 wherein a top of stack is at 
address [ESP] . 

9. The method of Claim 1 wherein upon a determination 
5 that said call is from said return instruction during said 

determining, said method further comprising taking protective 
action to protect a computer system. 

10. The method of Claim 9 wherein said taking 
10 protective action comprises terminating said call. 

11. The method of Claim 9 wherein said taking 
protective action comprises terminating a call module 
originating said call. 



15 



20 



12 . The method of Claim 9 wherein said taking 
protective action comprises terminating a parent application 
comprising a call module originating said call. 

13. The method of Claim 9 further comprising providing 
a notification that said protective action has been taken. 



14. The method of Claim 1 wherein upon a determination 
that said call is from said return instruction during said 

25 determining, said method further comprising determining 
whether said call is a known false positive. 

15. The method of Claim 14 wherein upon a determination 
that said call is not said known false positive, said method 

30 further comprising taking protective action to protect a 
computer system. 

16. The method of Claim 15 further comprising providing 
a notification that said protective action has been taken. 

35 
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17. The method of Claim 14 wherein upon a determination 
that said call is said known false positive, said method 
further comprising allowing said call to proceed. 

18. The method of Claim 1 further comprising hooking 
said critical OS function. 

19. The method of Claim 1 further comprising 
originating said call to said critical OS function. 

20. The method of Claim 1 wherein said critical OS 
function is necessary for a first application to cause 
execution of a second application. 

15 21. The method of Claim 20 wherein said second 

application allows remote access of a computer system. 

22. A method comprising: 

stalling a call to a critical operating system (OS) 

20 function; 

looking up a value at a previous top of stack; and 
determining whether said value is equivalent to an 
address of said critical OS function, wherein upon a 
determination that said value is equivalent to said address 
of said critical OS function, said method further comprising 
taking protective action to protect a computer system. 

23. The method of Claim 22 wherein upon a determination 
that said value is not equivalent to said address of said 
critical OS function, said method further comprising allowing 
said call to proceed. 

24. A computer program product comprising: 
a Return-to-LIBC attack blocking application for 

stalling a call to a critical operating system (OS) function; 

said Return-to-LIBC attack blocking application further 
for looking up a value at a previous top of stack; and 
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said Return-to-LIBC attack blocking application further 
for determining whether said value is equivalent to an 
address of said critical OS function, wherein upon a 
determination that said value is equivalent to said address 
of said critical OS function, said Return-to-LIBC attack 
blocking application further for taking protective action to 
protect a computer system comprising said Return-to-LIBC 
attack blocking application. 
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